2012 Is Just Around the Corner…
Recently, while doing some fraud trending and analysis, I was reviewing several news feeds trying to get a feel for current fraud events globally. The reality is that you don’t have to look very hard to find a “fraud pulse” as there is no shortage of news about people or corporations committing fraud anywhere. Corporate scandals like Olympus pop up to remind us that senior executives continue to commit fraud despite the fact that we are now ten years past one of the greatest corporate frauds of all time: Enron.
As we approach the end of the year the number of fraud cases being reported across all industries certainly aren’t slowing down despite efforts and government regulation to curtail it. Have you ever stopped to think about why that is? It’s an interesting question and my take is that if there’s one thing that’s constant… change.
Criminals committing fraud continually adapt their methods and schemes in accordance with regulation, anti-fraud methodologies, technology and controls being deployed by companies trying to safeguard their proprietary business information, consumer data, products and funds. There’s no shortage of stories in the news which demonstrate the diversity of fraud being committed globally.
The Fraud Mindset
Criminals continually attack the “weakest link,” which isn’t always a company with zero controls in place (although that’s highly likely) but may be a company with under-evaluated controls, technology, processes, procedures, policies or understaffed, undertrained or undereducated personnel in place to effectively handle the task.
The mistake many make when thinking about fraud and risk prevention, detection and investigation lies in their mindsets. Effective fraud prevention and risk mitigation simply aren’t a matter of “deploy the tools and forget about it.”
In fact, effective fraud prevention and risk mitigation must be a fluid and dynamic effort involving regular program review and analysis assessing both strengths and weaknesses (vulnerabilities). The result of this kind of review doesn’t necessarily require making wholesale changes, although it might if the business environment has changed significantly since program or control implementation. More likely, a company’s response might involve making minor control tweaks and adjustments in accordance with the risks being faced on a daily basis. This kind of ongoing adjustment is paramount in any effective risk mitigation strategy.
These types of program assessments should be conducted regularly. While every businesses definition of “regular” is going to vary, the type of business and risks referenced above usually dictate the frequency of the assessment, analysis and updates.
Quarterly assessments may be necessary for some businesses depending on the nature of the business and the markets they compete in, while other businesses may find that a semi-annual review is acceptable. At the very minimum, an annual operational anti-fraud and risk review should be scheduled and conducted but aside from scheduled operational assessments, threats and losses usually dictate the need and frequency.
I was reminded of this as we approach the end of the year and transition from 2011 to 2012. The New Year is a perfect opportunity for organizational review, analysis and anti-fraud metamorphosis to take place. Oftentimes, executives simply view this as a systems (technological) assessment, and while technology is certainly a core part of any good anti-fraud program, focusing exclusively on technological tools is a critical operational mistake as there are many other components that should be included in any anti-fraud “deep dive.”
Case in point, no matter how great the fraud prevention, detection or investigation technology is that your business deploys, it takes people to make systems work and according to Geoffrey Fowler in an article (What’s a Company’s Biggest Security Risk? You.) in The Wall Street Journal: “We are the weakest link.”
Tear Down Silos
There are several schools of thought on this issue but as a fraud and investigations professional, having spent my entire career in the private sector, my opinion is that silos make for poor fraud risk management. In a world where corporate business units often build silos around their data, applications and personnel, this makes effective, corporate fraud prevention that much more difficult, if not impossible.
John Kotter, Professor of Leadership, Emeritus at the Harvard Business School, and I share the same opinion on the negative effect of corporate silos. In an article titled Breaking Down Silos, Kotter said, “Silos can arise in any firm, large or small, and are detrimental to organizational success.”
Senior management interested in a robust anti-fraud or risk mitigation platform must infuse an air of open communication, cooperation and holism into the anti-fraud and risk equation ensuring that all areas are working in conjunction with each other.
While it’s possible for individual business units to still have anti-fraud/risk mitigation success on their own, a siloed work environment usually ensures a closed atmosphere where the “left hand truly doesn’t know what the right hand is doing.” In this type of scenario smaller individual business unit successes may ultimately lead to larger company defeats and losses as there isn’t a more comprehensive, holistic anti-fraud plan in place which incorporates all business units working together.
The reality, from my experience, is that managers of silos often resist the requirement to be more cooperative and transparent, most often expressed in a territorial “I own it” manner. However, that type of individualistic attitude cannot deter senior management.
The most successful businesses I’ve come across recognize that successful fraud and risk management programs must utilize a holistic approach centered around getting key business unit leaders to the same table, providing them with an “actionable” agenda and ensuring that they are all working toward a common corporate goal: fraud/risk mitigation. This type of holistic effort increases ROI and translates directly to a corporation’s bottom line.
While there are tangible financial results from operating holistic fraud and risk mitigation programs, pulling this off requires senior management buy-in and oversight (starting in the C-suite) to ensure that all relevant business units (i.e. audit, compliance, fraud, finance, legal, infosec, security etc.) contribute to the company’s fraud/risk mitigation effort in a well thought out, planned and orchestrated manner.
Management oversight and responsibility for these kinds of programs is found in the executive summary of the COSO Enterprise Risk Management (ERM) Integrated Framework:
“Everyone in an entity has some responsibility for enterprise risk management. The chief executive officer is ultimately responsible and should assume ownership. Other managers support the entity’s risk management philosophy, promote compliance with its risk appetite, and manage risks…”
5 Ways To Create An Anti-fraud Environment in 2012
While no fraud/risk mitigation plans are foolproof, there are many steps you can take to ensure your company has a healthy anti-fraud environment in 2012. Here are five things to think about:
1. Be Proactive – Don’t wait until your company is front-page news in The Wall Street Journal before taking action to patch the holes and prevent further fraud. Get out in front of your fraud/risk mitigation effort before it’s too late.
2. Evaluate Controls Regularly - Fraud and risk controls should be evaluated regularly in accordance with changes in the market, regulatory, legal, compliance, audit or business environment.
3. Think Like a Criminal – Flip it around. How would you attack your company if you were on the other side of the fence? Identify those weaknesses, then plug those holes.
4. Outside Evaluation – The old adage “you can’t see the forest through the trees” definitely applies here. After you’ve stared at your fraud and risk methodologies long enough, you won’t see the obvious holes. Bring in a fraud expert to independently evaluate your fraud operation and help identify key business areas that can be strengthened and improved. A fresh set of eyes may quickly see what you cannot.
5. Think Holistically – While there is no “I” in team, there are two in holistic. Get all your business units on the same page, make sure they’re communicating openly and working together on the same risk and anti-fraud agenda.
All this leads me to one important question: “How is your business positioned for the fraud challenges that 2012 will certainly bring?”
The new year is right around the corner and if you haven’t already, there’s no better time than now to conduct your annual assessment … if you’re thorough, you might be surprised at the fraud vulnerabilities you discover and can fix before they become front-page news! If you aren’t, the criminals will gladly find, and exploit, your weaknesses for you.